Russian hackers have been stealing personal and financial data straight from information clearinghouses, reselling it in bulk

InfoWorld|Sep 25, 2013

A Russian hacker gang running an identity theft service used a botnet made up of computers inside "some of America's largest consumer and business data aggregators," according to security researcher Brian Krebs.

Krebs has published the first in what he promises will be a series of articles about the SSNDOB identity theft service, which he claims can be used to look up "Social Security numbers, birthdays, and other personal data on any U.S. resident." The cost for such data: anywhere from 50 cents to $15, depending on what you're asking for.

Where did the hackers get their data? By way of botnets inside the very companies that provide that information legitimately to paying customers.

According to Krebs, SSNDOB (apparently based in Russia) has been harvesting much of its information through compromised servers inside three major data aggregators: LexisNexis, Dun & Bradstreet, and Kroll Background America. All three companies had their servers compromised around or before June 2013; Dun & Bradstreet's servers were hijacked in March. The bots planted by SSNDOB were designed not to trigger any antimalware scans.

Much of the data harvested from those services appears to have been retained by SSNDOB. Even after LexisNexis, for instance, shut down an account on its system that the company believed was being misused to harvest data, SSNDOB continued to offer LexisNexis-sourced background reports for another 10 days.

SSNDOB also apparently offered an API to a select number of high-volume customers, which could allow others to build what Krebs described as "third-party identity-theft services."

All three companies affected by the SSNDOB botnet were tight-lipped about the extent of the damage or the amount of data lost to the outside world. A spokesperson for the FBI would only tell Krebs that the agency had an ongoing investigation into the case.

Worse, none of the companies seemed to know they had been breached until it was too late.

When asked, Krebs said, "It was clear from talking to the folks at LexisNexis, for example, that they were unaware of this breach for more than five months. That's notable because a group of even moderately skilled attackers can do a great deal of damage in such a huge timeframe, let alone a more advanced hacking team."

Krebs also noted that "none of the companies discussed how they were breached."

When asked if the breaches might have been all the easier to carry out because of legacy systems, Krebs replied, "One aspect of a follow-up story I will publish soon deals with the tools these SSNDOB guys used to hack hundreds of other companies, and in those cases they exploited poorly secured Cold Fusion servers."

One major reason Krebs feels this theft is particularly damaging is because it allows criminals to compromise knowledge-based authentication (KBA). KBA involves loan providers or credit card companies using the databases provided by the likes of LexisNexis to confirm someone's identity by asking them detailed questions about their previous mortgages or residence history. A criminal can harvest someone else's KBA data and use that to impersonate them on a loan application or other detailed financial transaction.

KBA has long been considered weak. Avivah Litan, a fraud analyst for Gartner, was convinced back in 2010 that KBA had long been compromised. And in 2011 Art Barger of TrustID proclaimed KBA dead, thanks in part to criminal data exchanges. Unfortunately, as with any such legacy methodology, KBA is not something that can be phased out overnight.

Krebs promises to release two more articles on his website that go into further details about SSNDOB and its botnet.